Related

Worried that the Heartbleed security bug has revealed your Internet passwords and other confidential information?

If you’re in British Columbia, you may have to find that out for yourself: companies don’t have to tell you.

Some Vancouverites who have accounts with U.S.-based companies that are bound by law to disclose security breaches have already received an email warning, but in B.C., where disclosure isn’t mandatory, many concerned consumers are left seeking answers from companies that hold their confidential information.

While the list of affected websites runs to the hundreds of thousands and includes the Canada Revenue Agency, banks in Canada were not affected, nor were Vancity and Coast Capital or any other credit unions that use banking systems created by Central 1 Credit Union.

While a number of B.C. companies don’t use the security software affected by the Heartbleed bug, Rogers/Yahoo! email customers are among those whose login information could have been exposed by the flaw.

“Rogers.com doesn’t use the impacted versions of the SSL software, so was not impacted by the bug. Yahoo!, the provider of Rogers/Yahoo! email, implemented the fix to its mail site shortly after the issue was identified,” Rogers spokeswoman Luiza Staniec said in an emailed response to The Vancouver Sun.

Telus said it has some websites that use the affected technology and, like the Canada Revenue Agency, has taken them offline temporarily while it applies the patch to fix the flaw. Telus didn’t identify the websites or the number of customers or vendors affected.

News of the security flaw comes amid possible changes to Canadian privacy legislation with proposed amendments in Bill S-4 that received first reading this week in Ottawa. And in B.C., a review is underway considering amendments to privacy legislation here, where neither the private or public sector is bound to disclose breaches.

Dominic Vogel, a senior security consultant with Vancouver’s Grant Thornton, an accounting and business advisory firm, said Heartbleed highlights the need to make online security a priority.

“My advice to both consumers and businesses is that security is something they need to start taking a little more interest in,” he said. “You don’t need to be a computer science doctorate to practice good security. The most basic stuff isn’t being done and if we all did that, it makes it much harder for attackers or the bad guys to take advantage of us.”

But he said consumers shouldn’t panic. “The analogy I like to give is if you go to bed at night and forget to lock the front door, there is the potential that you will be robbed; it doesn’t mean someone will rob you.”

The Canadian Bankers Association (CBA) issued a press release saying Canadian banks have not been affected.

“The online banking applications of Canadian banks have not been affected by the Heartbleed bug. Canadians can continue to bank with confidence,” the release said.

RBC and the TD bank took to Twitter to reassure customers.

“We take every threat seriously and would like to assure everyone that our websites have not been affected by the Heartbleed security bug,” posted RBC on its Twitter site.

Vancity and Coast Capital credit unions also posted on social media to let customers know their websites have not been impacted.

“Concerned by #heartbleed bug? OpenSSL, the affected technology, is not used by Vancity websites & apps. We’re not vulnerable to this issue,” tweeted Vancity.

Yahoo’s blogging site Tumblr.com warned users in an “urgent security update” that it uses the affected security technology, although it said it has no evidence of a breach.

“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr wrote in its security update.

Google announced it has patched a number of its services including Search, Gmail, YouTube, Wallet, Play, Apps and App Engine, while Google Chrome and Chrome OS were not affected.

Webnames.ca CEO Cybele Negris said while her company’s systems and services aren’t affected by the Heartbleed security vulnerability, their business clients are asking if they should have their website security certificates reissued.

How to protect yourself from the Heartbleed security bug:

1. While it is a good idea to change your password, first make sure any affected website you have visited has fixed the security breach. Otherwise, hackers could just pick up your new password and login credentials.

2. You can check with a website to see if it has been affected but if that’s not successful, try the open source Heartbleed test at filippo.io/Heartbleed. It’s not an exact test since a number of sites return an error message that means the test can’t determine whether or not the site is vulnerable. If you use the Chrome browser, you can install the Chromebleed checker that warns if a website you’re browsing is vulnerable.

3. Don’t use the same password and user name for signing into multiple websites.

4. Vogel recommends using a password manager like LastPass or Keepass, which will generate and manage passwords, saving the user what has become an almost impossible task of remembering and updating passwords for the many websites that require users to log in.

6. When you are on a public Wi-Fi site, such as a coffee shop, don’t go on any websites that require you to log in with your user name and password.

7. If you want to create a secure connection to the Internet, a VPN (for Virtual Private Network) such as that which may be on your company computer, check out CNET.com where you can download software to create your own VPN. Vogel suggests checking CNET’s review and download site to find legitimate software so you don’t inadvertently download malware that may turn up in a Google search.

8. Passwords eight characters or less are easily cracked so if a site allows, make your password longer and include a mix of letters, symbols and numbers.

Comments

We encourage all readers to share their views on our articles and blog posts. We are committed to maintaining a lively but civil forum for discussion, so we ask you to avoid personal attacks, and please keep your comments relevant and respectful. If you encounter a comment that is abusive, click the "X" in the upper right corner of the comment box to report spam or abuse. We are using Facebook commenting. Visit our FAQ page for more information.

Almost Done!

Postmedia wants to improve your reading experience as well as share the best deals and promotions from our advertisers with you. The information below will be used to optimize the content and make ads across the network more relevant to you. You can always change the information you share with us by editing your profile.

By clicking "Create Account", I hearby grant permission to Postmedia to use my account information to create my account.

I also accept and agree to be bound by Postmedia's Terms and Conditions with respect to my use of the Site and I have read and understand Postmedia's Privacy Statement. I consent to the collection, use, maintenance, and disclosure of my information in accordance with the Postmedia's Privacy Policy.

Postmedia wants to improve your reading experience as well as share the best deals and promotions from our advertisers with you. The information below will be used to optimize the content and make ads across the network more relevant to you. You can always change the information you share with us by editing your profile.

By clicking "Create Account", I hearby grant permission to Postmedia to use my account information to create my account.

I also accept and agree to be bound by Postmedia's Terms and Conditions with respect to my use of the Site and I have read and understand Postmedia's Privacy Statement. I consent to the collection, use, maintenance, and disclosure of my information in accordance with the Postmedia's Privacy Policy.